<> ... View more

Nope ... View more

I guess I just found the answer: "If the two MX’s public IP addresses match, then the MXs in question are in the same private network. As such, they should route to one another via their interface IP addresses" ... View more

Source: https://meraki.cisco.com/blog/2018/06/all-about-autovpn/: The punch process The punch process is actually the “client” in a client-server relationship, with the server portion being the “Cisco Meraki VPN Registry.” The VPN Registry is a service independent of the Meraki dashboard, used to register each MX’s public and interface IP addresses. The Registry then uses some simple logic to understand how to route between the various MXs in an organization (in order to create VPN tunnels). Namely: Check for match – If the MX’s public IP and the interface IP match, then the MX in question is directly connected to the internet on that WAN interface No Match – MX WAN circuits with different public IP addresses should route between those public IP addresses directly Route Initiated – If the two MX’s public IP addresses match, then the MXs in question are in the same private network. As such, they should route to one another via their interface IP addresses The VPN registry then passes this information to the dashboard. ... View more

Hi, Is this true also when the two internal MX appliances are in different subnets? I assume in either case there is hairpin NAT necessary on the internet gateway router.   Kind regards, Frank ... View more

Hi,   Installed 18.208 on MX85. Great performance increase.   But be warned we are experiencing issues with configured 1-to-1 NAT rules. MX dropping random packets as if there is something wrong in the session/translation table lookups   ... View more

Hi,   Thanks@MarcAEC for sharing, I stumbled upon this and the solution still seems to work good.   And it looks like the sharing of the 'disabled' routes is expected behavior as also described in the knowledge base:   https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior   Advanced Configurations->Static Route Tracking: The route tracking mechanism only has local significance, which means, that the status of the route doesn't influence whether the route is advertised or not and it won't affect the routing on the remote end of the VPN.   Cheers ... View more

Thanks for sharing @DrDray  ... View more

With a stack 2* MS390-24: First switch first port starts at 9 Second switch first port starts at 53 ... View more

MS390 SNMP ifIndex integer offset starts at 9 instead of 1   This is mentioned in 15.6 as fixed but I can confirm this is an issue on 15.21.1   ... View more

  MS390 SNMP ifIndex integer offset starts at 9 instead of 1 This was either not fixed or has returned. Currently on 15.21.1   ... View more

We just had this issue on 15.20. There seems to be some kind of relevance to a large L2 domain I think.   This was MS210 ... View more

The roaming client is only interfering with DNS and web traffic (if using the smart proxy)  so it’s probably because something is not resolving correctly or there is a conflict (post above from myhomenwlab) ... View more

Hi, did you try to configure the remote host in the windows vpn config based on the external IP of the VMX (instead of the dynamic hostname) ... View more

In my opinion the Advanced security throughput and all security features enabled throughput mean the same thing ... View more

Can you elaborate on that? According to the support engineers its not in development:   In that case, the answer is still no, and that is not something currently in development. You can request this as a feature by using the "Give your feedback" button on the bottom right of any Dashboard page however.     Maybe they use a different terminology which I should use in my case? ... View more

Hi as mentioned get the current rules, add your own and update: In python that will be something like this: l3Settings = dashboard.appliance.getNetworkApplianceFirewallL3FirewallRules(<network_id>) # print (l3Settings['rules'])  <-- add your rules   # Update: response = dashboard.appliance.updateNetworkApplianceFirewallL3FirewallRules(<network_id>, rules=l3Settings['rules'])   ... View more

Hi,   What you can do, although not a very pretty construction: 1. Create an account for the external user in your AD 2. Create a Meraki group policy with firewall rules as required for this user 3. Once the user has connected the first time, apply the policy to the client from the client page This works best when the default network firewall does not allow any traffic from client VPN subnet, and then this way you will be able to authorize them after first time connect. ... View more

Thanks, I'll set up a request in the API early access group. And I'll create a support case to ask about the delay I'm seeing ... View more

Yes exactly, but beware of @PhilipDAth post in your other question: "Building a site to site VPN from the MX85 (behind an MG) to a Sophos is likely to be a NIGHTMARE. I would avoid this at all costs." ... View more